Research

Though I have tailed off a bit from my ridiculous pace of two years ago, I still go see a lot of live music. Although many of these acts make a mint, it’s not an easy life. I can only imagine how difficult it is to be on the road for months at a time. It’s hard enough for me, and I’m only gone one or two nights at a time. Though it’s not like I’m staying at the Ritz every night (don’t tell Rich I’m staying at the Ritz, okay?). But there are examples of bands that do a job and earn their money every night. Let me highlight two great examples. First off, I saw Green Day during the summer. Those guys are one of the biggest bands in the world right now, but they haven’t forgotten where they came from. They played for almost 3 hours, had folks doing stage dives, and even gave a guitar to a lucky audience member. At one point they all dressed in drag for a few laughs. And repeatedly they made the point about how much they appreciated their fans and that they give everything every night to make sure the fans get their money’s worth. They know that seeing a rock concert is a luxury for many people, and are grateful their fans choose to spend money they may not have to see them play music. Next I’ll highlight Styx. I saw them a few weeks ago on their Grand Illusion/Pieces of Eight tour. They played each album in its entirety and it was like stepping into a time machine. These guys haven’t had a hit record in decades, but they are able to travel around and play their classics year after year. And folks like me show up every time, which I assume provides a decent living for guys who probably carry AARP cards. They get how lucky they are and they play like it. It was a great show. I guess my point is that we all have fans, whatever that definition is. Folks who allow you to do what you do. Do you appreciate them? Really? In the day to day mayhem of deadlines and other demands, I need to remember that without our readers and contributors, I wouldn’t be able to do what I love. With Thanksgiving coming up, I want to let you know how appreciative I am. For all of you who read our stuff, who show up when we pontificate, and who ask for our advice, thank you. I know I speak for Rich and Adrian as well. We know how good we have it, and that’s because of you. So before you take off for the long weekend (if you are in the US, anyway), make sure your fans know you appreciate them. I know they’d appreciate being appreciated. Photo credits: “Starsky & Hutch Appreciation Fan Club originally uploaded by Ged Carroll Incite 4 U Truth in advertising? – Stop reading this and click this link. Read the words in the picture very carefully. Doesn’t it make a pretty acronym? Mike is pretty slow, so I’ll spell it out. The first letters of McAfee’s three attributes (Focused, Unwavering, & Dedicated) spell out FUD. Really. You have to see it to believe it. I have a really hard time believing this was completely accidental, and nobody at McAfee was sniggering when they came up with it. Perhaps some marketing wonk misunderstood the meaning. Perhaps someone knew what they were doing, and wanted to see if they could pull a fast one. Perhaps this was a Titanic example of proofreading FAIL. I actually saw that while driving to my hotel for an appointment today, but only off in the distance when I couldn’t read it. Anyway, I suspect it won’t be up for long, which is too bad because it shows a heck of a sense of humor. Maybe. – RM Why bother? – The SQL Server 2008 option for massively parallel servers is going to be late. Actually, it’s already late, but it’s going to be even late-er-er or something like that. But the question in my mind is why? Why play this game at all? Why try to be the biggest and fastest relational database out there when performance benchmarks have not been a major buying considerations for databases in 15 years. Teradata has a killer database that scales great … but it’s not exactly dominating the market. Look at super-fast databases and database hardware providers historically, and tell me how they have generally done. Ant? Sequent? Yeah, exactly. I can see why Microsoft would like to be a player in that lucrative field, but the number of firms willing to spend $40k per processor on giant mission critical transaction processing systems is dwindling. BI and data warehousing is moving to generic cloud based non-relational data stores that perform 10 to 100 times better, but can be leased at fractions of the price. And the requirements of the data warehousing market are changing. My guess is that cloud services will be “good enough”, and this will be a case where “cheap, fast, and easy” cuts the massively parallel server market down before Microsoft arrives on the scene. – AL Ray Noorda rolls in his grave… – Like Shimmy, I remember when Novell was the king of networking. In fact, I cut my teeth on a Novell LAN (Token Ring, in fact) and am happy to say I have a CNE (that lapsed probably 20 years ago). But Novell is no more. It’s being acquired by Attachmate for a cool $2.2 billion. And that doesn’t seem to include some intellectual property that Microsoft is buying. It seems Attachmate is becoming a friendly CA, in that they buy mature, slow-growth businesses with big customer bases and the associated maintenance streams. Novell does compete in some growth markets like Identity Management, SIEM, and desktop management – but really the private equity guys are using leverage to buy cash flow. It’s a good model for the investors – not sure for customers.

Skipped out of town for a much needed vacation Friday, and spent the weekend in a very remote section of desert. I spent my time hiking to the top of several peaks and overlooking vast areas of uninhabited country. I rode quads, wandered around a perfectly intact 100 year old mine shaft, did some target practice with a new rifle, built giant bonfires, and sat around BSing with friends. A total departure from everyday life. So I was in a semi-euphoric state, and trying to ease my way back into work. I was not planning on delving into complex security philosophy and splitting semantic hairs. But here I am … talking about Quantum Datum. Rich’s Monday FireStarter is a departure from the norm for security. The resultant comments, not so much. Cloud, SaaS, and other distributed resource usage models are eviscerating perimeter based security models. For a lot of you who read this blog that’s a somewhat tired topic, but what to do about it is not. You need to view Rich’s comments from a data perspective. If the goal is to secure data, and the data must be self-defending because it can’t trust the infrastructure, what we do today breaks. As is his habit, Gunnar Peterson succinctly captured the essence of the friction between IT & Security in response to Mike’s “Availability Is Job #1” post: I agree that availability is job 1, its just not security’s job. We have built approx zero systems that have traditional cia, time to move on. And we fall back into the same mindset, as we don’t have a mental picture of what Rich is talking about. The closest implementations we have are DLP and DRM, and they are still still off the mark. I look at traditional C-I-A as a set of goals for security in general, and attribution as a tool – much in the way encryption and access control are tools. Rereading Rich’s post, I think I missed some of the subtleties. Rich is describing traits that self-defending data must possess, and attribution is the most difficult to construct because it defines specific use cases. Being so entrenched in our current way of thinking limits our ability to even discuss this topic in a meaningful way, because we have unlearn certain rules and definitions. Is availability job 1? Maybe. If you’re a public library. If you’re the Central Intelligence Agency, no way. Most data will fall somewhere between these two extremes, and should have restrictions on how it is available. So the question becomes: when is data available? Attribution helps us determine what’s allowed, or when data is available, and under what circumstances. But we build IT systems with the concept that the more people can access and use data, the more value it has. Rich is right: treating all data like it should be available is a broken model. Time to learn a new C-I-A. Share:

I had an insanely early flight this morning for some client work in the Bay Area, so last night I hopped out to fill up on gas and grab some pizza for family movie night (The Muppets Take Manhattan, in case you were wondering). I’m at the gas station when the guy at the pump next to me asks if I ever shop at Target. This is the sort of question that raises my wariness under most circumstances, and since we were, at that moment, about 100 meters from said Target, this line of conversation was clearly headed someplace interesting. My curiosity piqued, I said, “yes”. My pump-mate then proceeded to ask me, “We’re just trying to get some cash to find a place to stay tonight, I have this $50 gift card that I’ll sell you for $40…” “No thanks.” I realize it’s been over two decades since I lived in New Jersey (the part that likes to say they’re from New York), but some instincts never die. Anyone reading this blog knows that said gift card was, shall we say, certified pre-owned. The odds of there being $.01 left on it, never mind $50, were significantly lower than those of my baby’s diaper not requiring a full hazmat response. Or it was totally fake. This isn’t that significant an event. Most of you encounter this sort of stuff every couple years or so, at a minimum. I even once fell for an artful scam when I was traveling abroad, although my paranoia did manage to constrain the damage. But I do find the parallels with online scams interesting. Unlike my overseas adventure, this dude was clearly not the most trustworthy on the face of the planet. That’s one nice thing about online – even with bad grammar, no one knows you smell like a wet dog on a three week bender, and look like Lindsay Lohan after a weekend drug vacation with Charlie Sheen. And this dude had to run from location to location, because sitting still for very long would result in a call to law enforcement. And never mind that each contact is a one-off, costing time and gas. Perhaps it’s an effective scam, but certainly not overly efficient. Anyway, it’s been a long time since someone tried to defraud me face to face, so it was kind of refreshing. Share:

As we all get ready for the turkey-induced food coma awaiting us Yanks in two days, let me expand a bit on an incomplete thought put forth by the Hoff. His Cloudiness wonders aloud if Compliance is the Autotune of the Security Industry. Instead of having to actually craft and execute a well-tuned security program which focuses on managing risk in harmony with the business, we’ve simply learned to hum a little, add a couple of splashy effects and let the compliance Autotune do it’s thing. Genius. Forget that squirrel stuff, Hoff should just dub himself T-Comply. It’s actually worse than this. Our friends at the PCI Security Standards council have not only provided the sheet music, but also the equivalent of a nice little iPad app that has a big red button in the middle saying COMPLY. Press the button, it makes your friendly assessor go away (with his/her check for lots of money for the ROC), and you go back to playing World of Warcraft, right? Many of us rue the fact that compliance is the only thing that gets the attention of senior management. And this has resulted in the elimination of one bar previously security had to clear. These days there is really only one bar to get over: the ‘COMPLIANT’ rubber stamp you need in the annual report. There is little incentive to go beyond compliance, because if it’s good enough for the card brands it should be good enough for you, right? Of course, that’s wrong. But the ‘good’ news is that most people and organizations believe it. And they build their Auto-Tune security programs to just barely clear the bar. They are the folks at the bottom of the fraud food chain. So the reality is that Auto-Tune security is good for you, as long as you can convince senior management to clear the bar by a couple feet. Remember: You don’t have to outrun the grizzly – just your slowest friend. Yes, that’s easier said than done, but as you are munching on gizzards Thursday (or veggie meatballs and Tofurky, as it may be) be thankful that Auto-Tune security has emerged. It makes you look like a Security Rockstar in comparison. Though Chris could have used some Auto-Tune magic himself on that one. Share:

It’s drilled into us as soon as we first cut our help-desk umbilical cords and don our information security diapers: C is for Confidentiality I is for Integrity A is for Availability We cite it like a tantric mantra. Include it in every presentation, as if anyone in the audience hasn’t heard it. Put it on security tests, when it’s the equivalent of awarding points for spell your name at the top. We even use it as the core of most of our risk management frameworks. Too bad it’s wrong. Think about this for a moment. If availability is as important as confidentiality or integrity, how is CIA even possibly internally consistent? Every time we ask for a password we reduce availability. Every time we put in a firewall, access control, encryption, or nearly anything else… we restrict availability. At least when we are talking about information security. When we talk about infrastructure security, I agree that availability is still very much in the mix. But then we aren’t really concerned with confidentiality, for example – although we might still include integrity. Keeping the bits flowing? That’s infrastructure rather than information security. (And yes, it’s still important). But I do think there is still a place for the “A”. I mean, who wants to ruin a perfectly good acronym? Especially one with a pathetically juvenile non-sexual double entendre. A doesn’t stand for Availability, it stands for Attribution. Logging, monitoring, auditing, and incident response? Knowing who did what and when? That’s all attribution. Who owns a piece of information? Who can modify and change it? All that relies on attribution. Pretty much all of identity management – every username, password, and token: attribution. Availability? When it comes to information, that’s really a usability issue… not security. If anything, more availability means less security. Changing A from Availability to Attribution solves that problem and makes security internally consistent. (This is a prelude to a series of deeper theoretical (nope, not pragmatic) posts based on my Quantum Datum work. Special thanks to the Securosis Contributors for helping me flesh it out – especially Gunnar). Share:

Now that the media has feasted on the Stuxnet carcass, it gives me a moment of pause. What of a different perspective? I know – madness, right? But seriously, we have seen the media in a lather over this story for some time now. Let’s be honest – to someone who has worked in the SCADA community, this really is nothing new. It’s just one incident that happened to come to light. An alternative angle to the story, which seems to have been shied away from, is under-financed but motivated agents. Technical ‘resources’ with too much free time and a wealth of knowledge. This is not a new idea – just look at the abundance of open source projects that rely heavily on this concept: smart people with free time on their hands. What happens when you combine a surfeit of technical competence with a criminal bent? This was well documented back in the 80’s, when a group of German hackers led by Karl Koch were arrested for selling source code they had purloined from US government and corporate computers to the KGB. In this case these hackers were receiving payments in the form of cocaine and cash. Nothing major, just enough to keep them happy (and awake during their coke-fueled coding sessions). At least that was the idea until they were caught and Karl met his untimely end in a German forest in 1989. The argument will invariably be: how could they have the knowledge required for some of these attacks? Ever worked for a power company? There are usually a good number of disgruntled workers and $1,000 US will go a long way in some countries. It was also not difficult to gain access to the documentation from most control system vendors until recently. To borrow from Rich Mogull: funding = resources – the biggest of which are time and knowledge. Looking back to my earlier statement, this is something that a lot of disaffected hackers in former eastern bloc countries have in droves. Throw in some cash and drugs and you could have a motivated crew. I don’t think this is the case, but you must admit it’s within the realm of possibility. After all, this is not without precedent. There’s a skeleton in a forest someplace to prove it. Share:

Rich makes the case that A Is Not for Availability in this week’s FireStarter. Basically his thinking is that the A in the CIA triad needs to be attribution, rather than availability. At least when thinking about security information (as opposed to infrastructure). Turns out that was a rather controversial position within the Securosis band. Yes, that’s right, we don’t always agree with each other. Some research firms gloss over these disagreements, forcing a measure of consensus, and then force every analyst to toe the line. Lord knows, you can never disagree in front of a client. Never. Well, Securosis is not your grandpappy’s research firm. Not only do we disagree with each other, but we call each other out, usually in a fairly public manner. Rich is not wrong that attribution is important – whether discussing information or infrastructure security. Knowing who is doing what is critical. We’ve done a ton of research about the importance of integrating identity information into your security program, and will continue. Especially now that Gunnar is around to teach us what we don’t know. But some of us are not ready to give up the ghost on availability. Not just yet, anyway. One of the core tenets of the Pragmatic CSO philosophy is a concept I called the Reasons to Secure. There are five, and #1 is Maintain Business System Availability. You see, if key business systems go down, you are out of business. Period. If it’s a security breach that took the systems down, you might as well dust off your resume – you’ll need it sooner rather than later. Again, I’m not going to dispute the importance of attribution, especially as data continues to spread to the four corners of the world and we continue to lose control of it. But not to the exclusion of availability as a core consideration for every decision we make. And I’m not alone in challenging this contention. James Arlen, one of our Canadian Wonder Twins, sent this succinct response to our internal mailing list this AM: As someone who is often found ranting that availability has to be the first member of the CIA triad instead of the last, I’m not sure that I can just walk away from it. I’m going to have to have some kind of support, perhaps a process to get from hugging availability to thinking about the problem more holistically. Is this ultimately about the maturation of the average CIO from superannuated VP of IT to a real information manager who is capable of paying attention to all the elements of attribution (as you so eloquently describe) and beginning the process of folding in the kind of information risk management that the CISOs have been carrying while the CIO plays with blinky lights? James makes an interesting point here, and it’s clearly something that is echoed in the P-CSO: the importance of thinking in business terms, which means it’s about ensuring everything is brought back to business impact. The concept of information risk management is still pretty nebulous, but ultimately any decision we make to restrict access or bolster defenses needs to be based on the economic impact on the business. So maybe the CIA acronym becomes CIA^2, so now you have availability and attribution as key aspects of security. But at least some of us believe you neglect availability at your peril. I’m pretty sure the CEO is a lot more interested in whether the systems that drive the business are running than who is doing what. At least at the highest level. Share:

Lin Mun Poo of Malaysia sounds like a pretty bad-ass criminal hacker. He cracked into the Federal Reserve, and snagged hundreds of thousands of card numbers from a bank in Cleveland. But perhaps his intellectual skills don’t extend quite as far as they should for criminal survival. The article describes how he was nabbed selling card numbers in Brooklyn a few hours after landing at Kennedy airport. If you’re a conspiracy nut, the following sentence might indicate the government has some secret master key to crack your encryption: The stolen card numbers were found on his encrypted laptop after he was nabbed… In our internal chat room, Dave Lewis thinks this was all a sting, and his computer was probably unlocked as he was showing off the numbers. Considering how fast they nabbed him, that’s my guess too. You sort of have to wonder why he came to the US in the first place, considering it’s easy to sell that stuff in underground markets, also supporting the sting theory. But there’s one more interesting bit: Poo has also confessed to breaking into networks of several international banks and a major Defense contractor, the complaint states. Gee, I wonder when we’ll see those disclosures go out? Yeah, probably not. Share:

As I continue working through the nuances of my 2011 research agenda, I’ve been throwing trial balloons at anyone and everyone I can. I posted an initial concept I called Vaults within Vaults and got some decent feedback. At this point, I’ve got a working concept for the philosophies we’ll need to embrace to stand a chance moving forward. As the Vaults concept describes, we need to segment our networks to provide some roadblocks to prevent unfettered access to our most sensitive information. The importance of this is highlighted in PCI, which means none of this is novel – it’s something you should be doing now. Stuxnet was a big wake-up call for a lot of folks in security, and not just organizations protecting Siemens control systems. The attack vectors shown really represent where malware is going. Multiple attack paths. Persistence. Lightning fast propagation using a variety of techniques. Multiple zero day attacks. And using traditional operating systems to get presence and then pivoting to attack the real target. Now that the map has been drawn by some very smart (and very well funded) attackers, we’ll see these same techniques employed en masse by many less sophisticated attackers. So what are the keys to stopping this kind of next generation attack code? OK, the first is prayer. If you believe in a higher power, pray that the bad guys are smitten and turned into pillars of salt or something. Wouldn’t that be cool? But in reality waiting for the gods to strike down your adversaries usually isn’t a winning battlefield strategy. Failing that, you need to make it harder for the attackers to get at your information. So I liked this article on the Tofino blog. It makes a lot of points we’ve been discussing about for a while within the context of Stuxnet. Flat networks are bad. Segmented networks are good. Discover and classify your sensitive data, define proper security zones to segregate data, and only then design the network architecture to provide adequate segmentation. I’ll be talking a lot more about these topics in 2011. But in the meantime, start thinking about how and where you can/should be adding more segments to your network architecture. Share:

I got distracted by email. The Friday Summary was going to be about columnar databases. I think. Maybe it’s the flu I have had all week, or my memory is going, or just perhaps the subject was not all that interesting to begin with. But the email that distracted me was kind of funny and kinda sad. A former friend and co-worker contacted me for the first time is something like 10 years. Out of the blue. The gist of the email was he was being harassed by someone with threatening emails. After a while he started to worry and wondered if the mystery harasser was serious. So he contacted the police and forwarded the information to the FBI. No response. Met with the police and they have no interest in further investigation unless there is something more substantive. You know, like a chalk outline. In frustration he reached out to me to see if he could discover the sender. Now I am not exactly a forensics expert, but I can read email headers and run reverse DNS lookups and whois. And in about three minutes I walked this person through the email header and showed the originating accounts, domains, and servers. Easy. Now I must assume that if you know about email header information and don’t want to be traced, with a little effort you could easily cover your tracks. Temp Gmail or Yahoo accounts? Use cloud or hijacked servers, or even the public library computer can hide your tracks? No? How about using your freakin’ Blackberry with your real email account, but just changing the user name? Yeah, that’s the ticket! I am occasionally happy that there are stupid people on the planet. Oh, and since you asked for it (and you know who you are), here’s the Monkey Dance: (-shuffle-shuffle-spin-shuffle-backflip). The video is too embarrassing to post. Yeah, you can make us dance for a .99 cent Kindle subscription. You ought to see what we do for an $8k retainer! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Someone seems to think we’re one of the top 5 security influencers. Rich thinks Rothman must have paid them. Rich’s presentation at the Cloud Security Congress mentioned in this SearchSecurity article. Adrian’s comments on a database security survey. Favorite Securosis Posts Mike Rothman: Datum Entanglement. Rich’s big thoughts on where information-centric security needs to go. At least the start of those big thoughts… Rich: Rethinking Security. Adrian Lane: Datum Entanglement. Geek out! Le Geek, C’est Chic. Other Securosis Posts Incite 11/17/2010: Hitting for Average. What You Need to Know about DLP for PCI 2.0. React Faster and Better: Mop up, Analyze, and QA. Favorite Outside Posts Mike Rothman: 2011: The Death of Security As We Know IT or Operationalizing Security. From Amrit: “Security must be operationalized, it must become part of the lifecycle of everything IT.” Yeah, man. Rich: Brian Krebs on the foolishness of counting vulnerabilities. Adrian Lane: Amrit’s Operationalizing Security. Because, in its current position, security can only say “No”. Gunnar Peterson: Challenge of Sandboxing by Scott Stender. Project Quant Posts NSO Quant: Index of Posts. NSO Quant: Health Metrics – Device Health. NSO Quant: Manage Metrics – Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics – Deploy and Audit/Validate. Research Reports and Presentations The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Network Security Operations Quant Metrics Model. Network Security Operations Quant Report. Top News and Posts Adobe Releases Reader X with Sandbox. FreeBSD Sendmail Problem; update: The Problem Is with Gmail. Lawmakers take away TSA’s fringe benefits. Drive-by Downloads Still Running Wild Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Ian Krieger, in response to Datum Entanglement. Whilst it is a really stupidly-complex [sic] introduction it gets you in the right frame of mind, that is the complexities in securing data (yes I’m talking the plural here) when you have the ability to copy, or extract, it. Looking forward to the next pieces and see where your presentation goes. Share: